CVE-2018-25115 – This CVE describes an unauthenticated remote co... (How to Fix)

Q: What is the severity of CVE-2018-25115?

CVE-2018-25115 has a CVSS score of 9.8 (CRITICAL). This CVE describes an unauthenticated remote command execution vulnerability in multiple D-Link DIR-series routers. Attackers can send specially crafted HTTP POST requests to the service.cgi endpoint to execute arbitrary system commands with root privileges. Affected users are those running vulnerable firmware on listed D-Link DIR router models.

📋 TL;DR

This CVE describes an unauthenticated remote command execution vulnerability in multiple D-Link DIR-series routers. Attackers can send specially crafted HTTP POST requests to the service.cgi endpoint to execute arbitrary system commands with root privileges. Affected users are those running vulnerable firmware on listed D-Link DIR router models.

💻 Affected Systems

Products:

D-Link DIR-110
D-Link DIR-412
D-Link DIR-600
D-Link DIR-610
D-Link DIR-615
D-Link DIR-645
D-Link DIR-815

Versions: Firmware version 1.03 (other versions may also be affected)

Operating Systems: Embedded Linux/RTOS

Default Config Vulnerable: ⚠️ Yes

Notes: These router models are end-of-life and no longer supported by D-Link. The web interface is typically exposed by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to install persistent backdoors, intercept all network traffic, pivot to internal networks, and use the router as part of botnets or for cryptocurrency mining.

🟠

Likely Case

Router compromise leading to DNS hijacking, credential theft from network traffic, and use as a proxy for malicious activities.

🟢

If Mitigated

Limited impact if routers are behind firewalls with strict inbound filtering, though internal exploitation remains possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires a single HTTP POST request. Public proof-of-concept code is available. Evidence of active exploitation observed by Shadowserver Foundation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://support.dlink.com/EndOfLifePolicy.aspx

Restart Required: No

Instructions:

No official patch available. D-Link has ended support for these models. Replace affected hardware with supported devices.

🔧 Temporary Workarounds

Disable remote administration

all

Turn off remote management/administration features to prevent external exploitation

Network segmentation and filtering

all

Place routers in isolated network segments and implement strict firewall rules

🧯 If You Can't Patch

Immediately replace affected routers with supported models
Implement network monitoring and intrusion detection for suspicious HTTP POST requests to service.cgi

🔍 How to Verify

Check if Vulnerable:

Check router web interface for model and firmware version. If running affected firmware on listed models, assume vulnerable.

Check Version:

Login to router web interface and check System Status or Firmware Information page

Verify Fix Applied:

Verify router has been replaced with supported hardware or test with controlled exploit attempt (not recommended in production).

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /service.cgi with EVENT=CHECKFW parameter containing shell metacharacters
Unusual system command execution in router logs

Network Indicators:

HTTP traffic to router on port 80/443 containing shell commands in POST data
Outbound connections from router to suspicious IPs

SIEM Query:

source="router_logs" AND (url="/service.cgi" AND method="POST" AND (param="EVENT=CHECKFW" AND (content="|" OR content="$" OR content="&" OR content=";")))

📊 Metadata

CVE ID: CVE-2018-25115

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 1.64% exploit probability (81.6th percentile)

Published: August 27, 2025

Last Updated: September 24, 2025

🔗 References

https://github.com/Cr0n1c/dlink_shell_poc/blob/master/dlink_auth_rce Exploit
https://legacy.us.dlink.com/ Product
https://support.dlink.com/EndOfLifePolicy.aspx Product
https://www.exploit-db.com/exploits/43496 Exploit
https://www.vulncheck.com/advisories/dlink-dir-rce-service-cgi Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-25115, you might also want to check these: